It is possible to install the certificates manually but you
might notice that none of the articles mention specifically which certs to
export from another machine.

You can export them from a Windows 7 machine that does not
have a GPO policy blocking their installation via Windows Update and install
them to a Windows Server 2008 R2 machine and vice versa.

The certificates you need can be found in the Trusted Root Certification Authorities store
andare as follows:

·Microsoft Root Authority – 12/31/2020

·Microsoft Root Certificate Authority – 5/9/2021

·Microsoft Root Certificate Authority 2010 – 6/23/2035

·Microsoft Root Certificate Authority 2011 – 3/22/2036

On a candidate machine do the following:

To open the Microsoft Management Console,
click Start, and then in the Start Search box, type mmc,
and then press ENTER.

If the User Account Control dialog
box appears, confirm that the action it displays is what you want, and
then click Continue.

Click File, and then click Add/Remove
Snap-in.

In the Available snap-ins list, click
Certificates, and then click Add.

Click Computer Account, and then click
Next.

Click Local computer, and then click Finish.

If the certificate you want to install is on
a different computer, rather than another certificate store on this
computer, repeat steps 4 and 5, click Another computer, and then
enter its name or browse to it.

(if
you can’t connect to the remote computer use the All Tasks à export option and then copy the files to the other computer
an import them)

Click OK to close the Add or
Remove Snap-ins dialog box.

In the navigation pane, open the Trusted
Root Certification Authorities store.

In the details pane, right-click your
certificate, and then click Copy. (or All
Tasks à export if you
are moving them to a remote computer)

In the navigation pane, under Certificates
(Local Computer), right-click Trusted Root Certification
Authorities, and then click Paste. (or
import if you are moving them to a remote computer)

This solution is untested, and may also be blocked by your
system GPO policy, but if it works might be quicker.